Intune - Entra ID Join vs Entra ID Hybrid Join

Copper Contributor

Greetings everyone,


To begin this, let's imagine that a migration is being done for an organization and that Intune will be the chosen MDM solution. 


Autopilot will be used and let's consider two different options:

  • Autopilot with Entra join for the device
  • Autopilot with Entra Hybrid join for the device


There are some main things I already consider when choosing between one or the other, such as:

  • Considering the Entra Hybrid join scenario:
    • The difficulty in setting up a tunnel (especially for some VPN brands) for frontline workers to be able to have access to the Domain Controller 
  • Considering the Entra join scenario:
    • Some legacy applications that might require some device authentication aspect
    • Group Policy Objects will not be applied

The main objective of this discussion is to understand what are the main advantages and disadvantages regarding each one of these scenarios, in order to have a clear understanding of what are the possible implications of choosing the exclusively Entra join scenario (like "What capabilities are lost when we choose the Entra join scenario?"). 


I have read the documentation and know that "Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Autopilot.", but I would like to get even more information regarding this topic and maybe even some professional nuance from people who have gone through the same process. Basically the good, the bad and the ugly type of insights.


I would like to thank in advance any corrections about misconceptions or errors I might have written in this post and thank everyone who takes time to reply and be part of this discussion. 



2 Replies

We faced the same challenge. We have multiple locations worldwide and migrated all computers to a domain via AutoPilot and Hybrid Join.


The reason we didn't opt for an Azure AD Join is that we have many on-premises applications requiring local authentication, such as file servers, web apps via SSO or User certificate authentication, or applications via SSO/LDAP SSO. Additionally, we have many GPOs that aren't fully translatable into Intune.


To do this, we have deployed domain controllers in Azure in different regions: America, Europe and Asia. We have set up a point-to-site VPN with certificate authentication for the allways on VPN. I always say that a hybrid join is still the best option when employees rely often need local resources that require seamless authentication, such as in warehouse or production environments. If many applications require local authentication, or we also have applications where the computer needs account permissions to local file servers etc. then a hybrid join is to be preferred.


But if you have small offices that mainly do their own thing, or use terminal server solutions like AVD or cloud applications, it's fine to just connect to Azure.

Well... when you have tons of existing domain joined devices and you want to enroll them to Entra and by doing so also enrolling them to Intune, hybrid joining them is no issue at all. But when wiping/resetting or buying new devices, Microsoft indeed will advice you to go cloud only/cloud native.

Why? In most situations the cloud native option just works... you can still get an sso to your onpremise file server/websites. Of course there are some examples in which hybrid could still be the way to go (if device authentication is required )...